Cover image for Let's Encrypt: Certbot For OpenBSD's httpd

Let's Encrypt: Certbot For OpenBSD's httpd

nabbisen profile image Heddi Nabbisen Updated on ・4 min read

SSL/TLS certificates with Let's Encrypt (3 Part Series)

1) Let's Encrypt: Certbot For OpenBSD's httpd 2) Let's Encrypt: Wildcard Certificate With Certbot 3) Let's Encrypt: Renew Wildcard Certificate With Certbot

* The cover image is originally by markusspiske and edited with great appreciation.


Let's Encrypt is "a free, automated, and open Certificate Authority".
Certbot is "an easy-to-use automatic client that fetches and deploys SSL/TLS certificates for your web server", well known as “the official Let’s Encrypt client”.

I remember well how excited I felt when I read Let's Encrypt's "Our First Certificate Is Now Live" in 2015.
How wonderful the goal of them is; it's to "give people the digital certificates they need in order to enable HTTPS (SSL/TLS) for websites, for free" "to create a more secure and privacy-respecting Web"!
Since 2018, they have begun to support even ACME v2 and Wildcard Certificate!

Well, in OpenBSD as well as other operation systems, it's easy and comfortable to have their big help 😊


  • OS: OpenBSD 6.4 amd64
  • Web Server: OpenBSD's httpd
  • Certification: Let's Encrypt with Certbot 0.27

Reference: OpenBSD's httpd

How To Install Certbot


# pkg_add certbot

How To Obtain Certificates

First, let's prepare a directory as webroot:

# mkdir /var/www/%your-webroot%

Next, edit /etc/httpd.conf in order to build a web server of %your-domain% listening to Let's Encrypt's HTTP challenge for certification:

# [/etc/httpd.conf]

types {
        include "/usr/share/misc/mime.types"

ext_addr = egress

# ...

cert_domain = %your-domain%
server $cert_domain {
        listen on $ext_addr port 80
        root "/%your-webroot%"
        directory auto index

Then reload the configuration:

# rcctl restart httpd

OK. We're ready.

(* You don't need to stop the web server temporarily to release port 80 for --standalone thanks to --webroot! *)

Let's try to obtain a new certificate:

# certbot certonly --webroot -w /var/www/%your-webroot% -d %your-domain%

* Note: The meanings of the above subcommand and options are below according to the manual:

Subcommand/Option Description
certonly Obtain or renew a certificate, but do not install it.
--webroot Place files in a server's webroot directory for authentication.
--webroot-path WEBROOT_PATH, -w WEBROOT_PATH Webroot / public_html path[s individually].
-d DOMAIN, --domains DOMAIN Specified domain[s individually].

Besides, it's possible to omit --webroot -w /var/www/%your-webroot% because you are asked later (and so it becomes non-automatic process).

* Note: If it's your first time, you are asked your email address where the CA (certificate authority) will send notification emails. Alternatively, you can use the -m EMAIL, --email EMAIL option on the command line.

Anyway, certbot outputs like this:

# certbot certonly --webroot -w /var/www/%your-webroot% -d %your-domain%

Saving debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator webroot, Installer None
Obtaining a new certificate
Performing the following challenges:
http-01 challenge for %your-domain%
Using the webroot path /var/www/%your-webroot% for all unmatched domains.
Waiting for verification...
Cleaning up challenges

 - Congratulations! Your certificate and chain have been saved at:
   Your key file has been saved at:
   Your cert will expire on 20??-??-??. To obtain a new or tweaked
   version of this certificate in the future, simply run certbot
   again. To non-interactively renew *all* of your certificates, run
   "certbot renew"
 - If you like Certbot, please consider supporting our work by:

   Donating to ISRG / Let's Encrypt:   https://letsencrypt.org/donate
   Donating to EFF:                    https://eff.org/donate-le

We receive the sweet "Congratulations!" message.
Let's reflect gotten fullchain.pem and privkey.pem in /etc/httpd.conf:

# [/etc/httpd.conf]

types {
        include "/usr/share/misc/mime.types"

ext_addr = egress

# ...

#cert_domain = %your-domain%
#server $cert_domain {
#        listen on $ext_addr port 80
#        root "/%your-webroot%"
#        directory auto index

server "%your-domain%" {
        listen on $ext_addr port 80
        block return 301 "https://$SERVER_NAME$REQUEST_URI"
server "%your-domain%" {
        listen on $ext_addr tls port 443
        tls {
                certificate     "/etc/letsencrypt/live/%your-domain%/fullchain.pem"
                key             "/etc/letsencrypt/live/%your-domain%/privkey.pem"
        root "/%your-webroot%"
        directory auto index

And then:

# rcctl restart httpd

Now we obtain the web server to create HTTPS connection whenever it's accessed at last!

How To Manage Obtained Certificates

Please bear in mind that Let's Encript's certificates are valid for 90 days and why it is.

These are the basic subcommands of certbot:

Subcommand Description
certificates List certificates managed by Certbot
renew Renew all certificates (or one specified with --cert-name)
delete Clean up all files related to a certificate
revoke Revoke a certificate specified with --cert-path or --cert-name
To list
# certbot certificates
Saving debug log to /var/log/letsencrypt/letsencrypt.log

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Found the following certs:
  Certificate Name: %your-domain%
    Domains: %your-domain%
    Expiry Date: 20??-??-?? ??:??:??+00:00 (VALID: 90 days)
    Certificate Path: /etc/letsencrypt/live/%your-domain%/fullchain.pem
    Private Key Path: /etc/letsencrypt/live/%your-domain%/privkey.pem
  Certificate Name: ...
To renew

Simple usage is like this to "renew any previously-obtained certificates that expire in less than 30 days":

# certbot renew

Pre/Post-Hooks are available:

# certbot renew --pre-hook "rcctl stop httpd" --post-hook "rcctl start httpd"
To delete

Delete a certificate completely:

# certbot delete --cert-name %your-domain%
✿ ✿ ✿

Happy serving 🌵

SSL/TLS certificates with Let's Encrypt (3 Part Series)

1) Let's Encrypt: Certbot For OpenBSD's httpd 2) Let's Encrypt: Wildcard Certificate With Certbot 3) Let's Encrypt: Renew Wildcard Certificate With Certbot

Posted on Dec 14 '18 by:

nabbisen profile

Heddi Nabbisen


An ICT designer/developer and a security monk. "With a cool brain and a warm heart", I am challenging unsolved problems in our society. I use OpenBSD/Rust/etc.


markdown guide

Hello! Great post, I used it to set up my personal website. One note, though— the pre-hooks/post-hooks section should actually be

certbot renew --pre-hook "rcctl stop httpd" --post-hook "rcctl start httpd"

Since rcctl requires the command first and the service second as argument. Again, thanks for the great article!


Hello, Gabriel!
Thank you so much for your warmful messages.
Also, thank your for your feedback.
I corrected my mistake on arguments order.
I'm happy to hear from you 😉